University of Maryland, College Park

1
(No Transcript)
2
University of Maryland, College Park

• Carnegie Doctoral/Research University Extensive
• 18th ranked public university (US News)
• Celebrated 150th anniversary in 2006
• Total budget 1.4B
• Enrollment
• Undergraduate 25,857
• Graduate 10,157

3
University of Maryland, College Park (contd)

• Employees
• Faculty 3,752 (full-time and part-time)
• Staff 4,829
• Graduate assistants 3,873
• University structure and degrees
• 1250 acres
• Land grant institution for the State of Maryland
• 13 colleges/schools (no medical school)
• 127 undergraduate majors
• 112 graduate degrees

4
The Research University Environment

• Academic ingenuity reigns (universities
  understand and teach chaos theory)
• Decentralized information technology environment
  for education and research
• gt130 email systems, separate IT groups in every
  large unit
• Loose federation for IT direction
• Strict accountability for central IT
• Complex, multivendor environment not conforming
  to one grand plan
• Stovepipes are woven into the history

5
Campus Systems and Facilities

• Administrative system environment
• Locally written administrative systems
• Mostly mainframe based
• Vendor solutions around the edges (e.g. student
  recruitment)
• Networking
• 3500 wireless access points
• Host institution for the Mid-Atlantic Crossroads
• Member of Internet2
• Data centers
• Two main central IT data centers
• Contracted mainframe disaster recovery site

6
Old School Method of Audit Performance Improvement
Audit Findings
Central IT0
Central IT1.0
Audit Findings
Central IT2.0

Audit Findings
Central IT3.0
7
Case Study

• State audit report published in September 2003
• 10 Findings including 3 repeated findings
• State audit began in October 2004
• State audit report published in January 2006
• 7 Findings including 6 repeated findings
• Obviously moving in the wrong direction

8
Motivation for Change

• Auditors are a free consulting service
• Expect decreased number of security incidents
• Expect decreased risk
• External perception of institution
• Professional pride
• Points of light in every organization
• Long term payoffs (with short term pain)

9
New School Method of Audit Performance Improvement
USM Guidelines
Central IT0
Central IT1.0
Minor Audit Findings
Central IT1.1

Minor Audit Findings
Central IT1.2
10
Do The Hard Work

• Step 1 Start with the goal of conforming to all
  aspects of the USM guidelines
• Step 2 Create a set of deliverables that will
  accomplish the goal
• Step 3 Create a project plan that results in
  accomplishing all deliverables and assigns
  responsibility (98 deliverables, 503 line items)
• Step 4 Track progress
• Step 5 Make mid-course corrections as needed

11
Track Progress
12
Does it work?????
13
Does it work part 2
The jury is out the auditors are on campus and
not finished
14
Future Method of Audit Performance Improvement
FISCAM ITIL
Central IT0
Central IT1.00
Really Minor Audit Findings
Central IT1.01

Really Minor Audit Findings
Central IT1.02
15
Pursue a Comprehensive Approach

• Get the institution involved
• NSA Academic Center of Excellence in Information
  Assurance
• Create the next generation of audit analysts for
  the institution
• Make it easy for units to reduce risk
• Look for software that can be campus site
  licensed
• Whole disk encryption to be available campus-wide
• Put campus policies in place that give
  responsibility for critical systems (e.g.
  networks, administrative systems) squarely on
  central IT
• Provide audit consulting to other units
  throughout the year

16
If A Research University Wants To Be Better

• Create an infrastructure for success
• Hire an internal IT auditor to be part of the
  central IT security staff, the point of contact
  for external auditors and consultant for all
  university units
• Create an ethics organization
• Establish a solid working relationship with the
  external auditors
• Raise awareness on campus
• Conduct formal audits of campus units with their
  cooperation
• Set a goal, develop a plan, recognize the
  implementation will take years, and there will be
  a budget impact

17
If A Research University Wants To Be WAAAY Better

• Information Technology Infrastructure Library
• Applications management
• Change management
• Asset and configuration management
• Incident management
• Operations management
• Problem management
• Release and deployment management
• Service continuity management

18
Project NEThicsInternet Ethics NEThics

• Mission to promote responsible use of
  information technology through user education and
  policy enforcement
• Web site www.nethics.umd.edu

19
Im Here To Help

• Proactive best practices pointers
• High level analysis of the public audits from
  other agencies/units
• Prioritization of audit areas to address
• Citing the good things, even informally

20
Future Technology Challenges

• WiMAX high speed connectivity
• Mobile devices containing sensitive data
• Grid/distributed computing

21
Future Software Challenges

• Open source
• Kuali Foundation
• Source code modifications by other institutions
• Service Oriented Architecture for distributed
  computing
• The rise of open systems
• The fall of the mainframe
• Virtual teams
• Beyond the firewall
• Log overload
• Too many systems generating too many logs that
  need expensive log analysis tools to make any
  sense of the data

22
Contact Information
Dr. Jeff Huskamp Vice President and
CIO University of Maryland 1122 Patuxent
Building College Park, MD 20742 Email
jhuskamp_at_umd.edu